opentrade-portfolio

SUSPICIOUS. The skill's portfolio-checking behavior and token requirement fit its stated purpose, but its execution model relies on repeated raw GitHub pipe-to-shell installation of an external CLI and then passes API credentials to that CLI. The main concern is supply-chain and credential-forwarding trust, not clear evidence of malicious intent.